The attached patch fixes
https://fedorahosted.org/freeipa/ticket/5733.  Thanks to Alexander
for finding and reporting.

Cheers,
Fraser
From 9bd7b74d9c928f386bd7dae59588580881ed1a9d Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Mon, 14 Mar 2016 14:49:47 +1100
Subject: [PATCH] caacl: correctly handle full user principal name

The caacl HBAC request is correct when just the username is given,
but the full 'user@REALM' form was not handled correctly.

Fixes: https://fedorahosted.org/freeipa/ticket/5733
---
 ipalib/plugins/caacl.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ipalib/plugins/caacl.py b/ipalib/plugins/caacl.py
index 
64dbec16e11e9fa2a67287b195b4bd1180a379e7..d83c3ce892031a9877fac198eb51961fbd159571
 100644
--- a/ipalib/plugins/caacl.py
+++ b/ipalib/plugins/caacl.py
@@ -61,14 +61,14 @@ def _acl_make_request(principal_type, principal, ca_ref, 
profile_id):
     req.targethost.name = ca_ref
     req.service.name = profile_id
     if principal_type == 'user':
-        req.user.name = principal
+        req.user.name = name
     elif principal_type == 'host':
         req.user.name = name
     elif principal_type == 'service':
         req.user.name = normalize_principal(principal)
     groups = []
     if principal_type == 'user':
-        user_obj = api.Command.user_show(principal)['result']
+        user_obj = api.Command.user_show(name)['result']
         groups = user_obj.get('memberof_group', [])
         groups += user_obj.get('memberofindirect_group', [])
     elif principal_type == 'host':
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to